b"March 27, 2003\nAudit Report No. 03-024\n\n\nInternal Control Over Receivership\nReceipts\n\x0cFederal Deposit Insurance Corporation                                                                     Office of Audits\n801 17th St. NW Washington DC. 20434                                                         Office of Inspector General\n\n\n\n\nDATE:               March 27, 2003\n\n\nTO:                 Fred S. Selby, Director\n                    Division of Finance\n\n                    Mitchell L. Glassman, Director\n                    Division of Resolutions and Receiverships\n\n                    Arleas Upton Kea, Director\n                    Division of Administration\n\n\n\n\nSUBJECT:            Internal Control Over Receivership Receipts (Audit Report Number 03-024)\n\n\nThis report presents the results of our audit of the Federal Deposit Insurance Corporation\xe2\x80\x99s\n(FDIC) internal control over receivership receipts. The objective of the audit was to determine\nwhether the FDIC has effectively implemented selected internal controls to safeguard recoveries\nfrom the liquidation of failed insured depository institution1 assets. Our work was conducted to\nassist the U.S. General Accounting Office (GAO) with its audit of the Bank Insurance Fund\n(BIF), Savings Association Insurance Fund (SAIF), and Federal Savings and Loan Insurance\nCorporation (FSLIC) Resolution Fund (FRF) financial statements for the years ended\nDecember 31, 2002 and 2001.2 Additional details on the audit objective, scope, and\nmethodology, including the specific controls tested, are included in Appendix I.\n\n\nBACKGROUND\n\nA receivership is a temporary entity that is established when the primary federal or state\nregulatory authority closes an insured depository institution and appoints the FDIC as receiver to\nmanage the business affairs of the failed institution. The receivership receipts process\nencompasses those activities associated with receiving and controlling monetary items from all\n\n\n1\n  Insured depository institutions include banks and savings institutions.\n2\n The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) created the BIF, SAIF, and\nFRF. The BIF and SAIF are insurance funds responsible for protecting insured bank and thrift depositors from loss\ndue to institution failures. The FRF is a resolution fund from which funds are used to wind up the affairs of the\nformer Federal Savings and Loan Insurance Corporation and liquidate the assets and liabilities transferred from the\nformer Resolution Trust Corporation.\n\x0csources until they are deposited in the correct account or forwarded to the proper recipient. This\nprocess also includes preparing journal entries to record receipts and related transactions in the\nFDIC Financial Information Management System (FIMS). Policies and procedures applicable\nto the receipt process are described in the FDIC\xe2\x80\x99s Field Financial Operations (FFO) Accounting\nManual.\n\nThe FDIC\xe2\x80\x99s Division of Resolutions and Receiverships (DRR), Field Operations Group,\nAccounting Operations (AO), located in Dallas, Texas, has overall responsibility for processing\nand accounting for all receivership receipts. The majority of the receipts received are wired and\ndeposited directly into the receiverships\xe2\x80\x99 bank depository account. The remaining receipts are\ngenerally sent either to the FDIC mailroom or to a lockbox maintained by Bank One.3 An\noutside contractor provides mailroom services at the FDIC Dallas, Texas location. The\nmailroom is responsible for opening the mail, identifying which envelopes contain check\nreceipts, recording the checks received, and forwarding the checks to AO for further processing.\nThe FDIC also contracted with Bank One for lockbox services. Bank One is required to collect,\nopen, and process all receipts received through the lockbox and deposit them directly into the\nreceiverships\xe2\x80\x99 bank depository account.\n\nAO processes receipts for the BIF, the SAIF, and the FRF. These receipts generally consist of\nloan payments from debtors of failed financial institutions. The group also processes receipts for\nprior Resolution Trust Corporation4 receiverships, and these receipts generally consist of\nremittances for loan payments from contracted asset servicers.5 During the period\nJanuary 1, 2002 through December 31, 2002, the FDIC recorded over $3.6 billion in receivership\nreceipts transactions.\n\n\nRESULTS OF AUDIT\n\nThe FDIC effectively implemented the selected internal controls to safeguard recoveries from the\nliquidation of failed insured depository institution assets. We identified the following controls\nthat were in place and operating:\n\n\xe2\x80\xa2   The FDIC receives image copies of checks deposited through the lockbox and also receives a\n    confirmation of funds wired to the receiverships\xe2\x80\x99 bank account.\n\n\n\n\n3\n   The lockbox in this instance is a unique United States Postal Service address used specifically to identify\ncustomer remittances.\n4\n  The RTC existed from August 1989 through December 1995 and was established by Congress as a temporary\nfederal agency to clean up the savings and loan crisis after the Federal Savings and Loan Insurance Corporation was\nabolished.\n5\n  An asset servicer is a contractor acting on behalf of the FDIC in the administration and servicing of assets, such as\nloans. The servicer\xe2\x80\x99s functions include collecting and recording payments from borrowers; negotiating,\ncompromising, and restructuring loans; and reporting to the FDIC.\n\n\n                                                           2\n\x0c\xe2\x80\xa2   Control totals6 are established for checks received in the FDIC mailroom, the lockbox, and\n    wires received.\n\n\xe2\x80\xa2   The total checks deposited, wires received, items placed on hold, and checks released to third\n    parties are reconciled to the total receipts processed in the FDIC\xe2\x80\x99s receipts processing\n    system. The total receipts processed are further reconciled to the FDIC\xe2\x80\x99s FIMS general\n    ledger.7\n\n\xe2\x80\xa2   The bank statements are reconciled to the FDIC general ledger within 30 calendar days of the\n    period covered by the bank statement.\n\n\xe2\x80\xa2   FDIC management reviews aging reports8 to identify receipts that have not been applied to\n    the proper account.\n\n\xe2\x80\xa2   Journal entries are reviewed and approved to record and apply receipts received.\n\nHowever, we noted the following deficiencies in controls related to receivership receipts\nprocessing.\n\n\xe2\x80\xa2 Contractor mailroom employees did not follow FFO Accounting Manual procedures that\n    require opening mail under dual control. Dual control in this instance means that two\n    employees open and record mail receipts. Dual control provides reasonable assurance that\n    checks received are handled appropriately to prevent unauthorized access and use.\n\n\xe2\x80\xa2   The mailroom employees did not promptly establish a record of receipts in accordance with\n    the FFO Accounting Manual. The contractor personnel held receipts overnight before\n    recording them, rather than promptly recording and processing them as required by the\n    manual. Prompt recording of receipts prevents loss of accountability due to error or fraud.\n\n\xe2\x80\xa2   The AO group responsible for the cashiering function9 processes receipts in an unrestricted\n    area. All FDIC employees as well as contractor employees have access to the area where\n    receipts are processed. The FFO Accounting Manual requires that access to the area be\n    limited to personnel designated by Division of Finance (DOF) management and that cipher\n    locks and fireproof file cabinets be utilized to protect receipts.\n\n\n\n\n6\n  A control total can include an individual listing of the receipts and the total dollar amount of the receipts.\n7\n  A general ledger is a collection of all asset, liability, equity, revenue, and expense accounts.\n8\n  Aging reports identify the elapsed time that an item has been held in suspense and not charged to an appropriate\nasset or income account.\n9\n  The cashier function is responsible for assuming and retaining control of monetary items from the time of receipt\nuntil proper disposition. This process also includes controlling monetary payments that cannot be deposited due to\nrestrictive endorsements, cannot be identified to a liquidation, or belong to a non-FDIC entity.\n\n\n                                                         3\n\x0c\xe2\x80\xa2 AO did not perform an annual site visit in calendar year 2002 to observe the operations of the\n     contractor performing lockbox services for the FDIC. Such observations are important to\n     ensuring that internal control is operating as intended. The FDIC represented that site visits\n     of lockbox operations were performed in prior years, but DRR did not observe the operations\n     for calendar year 2002.\n\n\xe2\x80\xa2 The FDIC FFO Accounting Manual has not been updated to reflect the current organization\n     structure and responsibilities resulting from the reorganization of DOF and DRR. An up-to-\n     date manual helps ensure that receipts are handled in accordance with established policies\n     and procedures.\n\nWe provided the results of our audit, including the deficiencies, to the GAO for its consideration\nin evaluating the Corporation\xe2\x80\x99s internal control over financial reporting and compliance with\nlaws and regulations. Accordingly, we are not making recommendations to address the\ndeficiencies, and the GAO will determine whether they are either individually or in the aggregate\nmaterial weaknesses10 or reportable conditions11 that warrant further reporting in the reports on\nthe FDIC\xe2\x80\x99s financial statements.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOur report does not include recommendations for corrective actions. However, we provided our\ndraft report to the Director, Division of Finance, Director, Division of Resolutions and\nReceiverships, and the Director, Division of Administration. The Division of Finance and the\nDivision of Resolutions and Receiverships responded that they had no comments.\n\nOn March 24, 2003, the Division of Administration responded via email that it would not be\nproviding a formal written response to the draft report since the report contains no findings or\nrecommendations. The Division of Administration further stated that two internal control\nconcerns were presented to DOA by the OIG as \xe2\x80\x9cMatters for Further Consideration12 (MFC)\xe2\x80\x9d in\nan email dated February 5, 2003. As stated in DOA\xe2\x80\x99s response to the MFC, DOA staff members\nin Dallas have taken necessary corrective actions to address the issues at hand. Specifically,\naccording to DOA, the corrective actions already taken are as follows:\n\n\n10\n   The American Institute of Certified Public Accountants standards define a material weakness as a reportable\ncondition in which the design or operation of one or more of the internal control components does not reduce to a\nrelatively low risk that misstatements caused by error or fraud in amounts that would be material in relation to the\nfinancial statements being audited may occur and not be detected within a timely period by employees in the normal\ncourse of performing their assigned functions.\n11\n   A reportable condition is a matter coming to the auditor\xe2\x80\x99s attention that in his (or her) judgment, should be\ncommunicated to the audit committee because the matter represents significant deficiencies in the design or\noperation of the internal control that could adversely affect the FDIC\xe2\x80\x99s ability to initiate, record, process, and report\nfinancial data consistent with the assertions of management in the financial statements.\n12\n   The Matters for Further Consideration form is used to document the request for further information from the\nFDIC regarding discrepancies and potential internal control weaknesses found during the audit.\n\n                                                            4\n\x0c       \xe2\x80\xa2   Upon implementation of the mailroom contract, dual control procedures were\n           discussed with the contractors by the FDIC employees. In January 2003, the FDIC\n           Oversight Manager met with the contractor\xe2\x80\x99s Project Manager and alternate,\n           instructing them thoroughly on the dual control process. The importance of each step\n           in the dual control process was emphasized to all contract employees. Additionally,\n           the Oversight Manager has been instructed to spend time each day in the mailroom\n           overseeing the dual control process and to prepare a report on the result of his\n           observations. Frequent oversight by the Oversight Manager and Technical Monitors\n           will ensure the dual control process is strictly adhered to.\n\n       \xe2\x80\xa2   The contractor has been instructed on procedures for logging cash items/receipts\n           immediately upon receipt. All receipts are now entered onto a log and copied\n           immediately, within dual control guidelines. If the cut-off time for DOF processing\n           has elapsed, the recorded items are placed in a safe until the next morning.\n\nWhile the corrective actions taken by DOA address several of the deficiencies noted in our\nreport, we did not review them as part of our audit and cannot conclude on their effectiveness.\n\n\n\n\n                                                5\n\x0c                                                                               APPENDIX I\n\n\n                          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine whether the FDIC has implemented effective internal\ncontrol to safeguard recoveries from the liquidation of failed insured depository institution\nassets. Our work was not intended to express, and we do not express, opinions on the fair\npresentation of the balances for corporate receivables for 2002 or 2001, or related internal\ncontrol over financial reporting and compliance with laws and regulations. Such opinions, if\nexpressed, are the responsibility of the GAO as the principal auditor for the FDIC\xe2\x80\x99s corporate\nfinancial statements.\n\nTo achieve our objective, we followed the process outlined in the GAO/President\xe2\x80\x99s Council on\nIntegrity and Efficiency Financial Audit Manual. Specifically, we:\n\n     \xe2\x80\xa2 Observed the mailroom processing procedures in Dallas, Texas. The OIG auditor was\n     accompanied by an employee of the outside contractor and FDIC management during the\n     observation.\n\n     \xe2\x80\xa2 Made inquiries to DRR and DOA personnel regarding the processing of receivership\n     receipts.\n\n     \xe2\x80\xa2   Verified that receipts charged to cash suspense13 were monitored by FDIC management.\n\n     \xe2\x80\xa2 Conducted tests to determine whether the FDIC was reconciling the bank statements for\n     the depository bank accounts to the FIMS general ledger.\n\n     \xe2\x80\xa2 Selected and evaluated a statistical attribute sample14 of 45 receivership receipts\n     transactions recorded in FIMS during the period of January 1, 2002 through December 31,\n     2002. Transactions between the FDIC and receiverships were excluded from the sample.\n\nWe relied on computer processed data to complete our audit; therefore, we tested the reliability\nof data by comparing the data in FIMS to source documentation. We found no instances of\nnon-compliance with significant provisions of applicable laws and regulations as they relate to\nthe processing of receivership receipts. The applicable laws identified were: the FDI Act\nSections 11(a) (4) (A) and 11A(a)(1), codified to 12 U.S.C. \xc2\xa7\xc2\xa71821 and 1821a, which require the\nFDIC to separately maintain and not commingle the BIF, SAIF, and FRF. There are no\nperformance measures with which the FDIC must comply regarding the processing of\nreceivership receipts. Therefore, we did not perform testing related to performance objectives.\n\n13\n   Cash suspense is a general ledger account used to record and accommodate timing differences between the receipt\nof cash collections and their posting to the appropriate asset or income accounts.\n14\n   An attribute sample is a sample designed to determine what percentage or proportion of a population has the\ncharacteristic an auditor is interested in.\n\n                                                        6\n\x0cWe performed fieldwork at the FDIC's Regional Office in Dallas, Texas. We conducted the\naudit from November 2002 through February 2003 in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n                                             7\n\x0c"